This post is from the XebiaLabs blog and has not been updated since the original publish date.
What You Need to Know About DevSecOps
Traditional security processes are often perceived as roadblocks to producing high-quality software faster. Information security, however, is vitally important, especially in highly regulated industries, and even more so in an era where the threat landscape is mounting every day.
Organizations in 2018 no longer have a choice. They must safeguard their software assets and releases while continuing to try and achieve the accelerated levels of quality and speed of delivery their customers demand.
Enter DevSecOps – the practice of shifting security left in the software delivery pipeline, minimizing vulnerabilities, and bringing security closer to IT and business objectives.
Are you new to the DevSecOps approach? Here are some of the essential terms, tools, and practices you need to know.DevSecOps – An approach to increasing software security in which security practices that have traditionally occurred only at or near the end of the software delivery lifecycle are integrated into every part of the pipeline, from code commit to deployment monitoring.Application security testing – Measures taken throughout the pipeline to prevent threats to an application without disrupting how code is written, built, tested, or deployed. These measures include static code reviews, dynamic code analysis, automated scanning, patching, and vulnerability analysis.Chain of custody – The hierarchy of roles and permissions in the software lifecycle that ensure control over and visibility into every software component of the delivery pipeline.Code analysis tools – Tools for performing automated scan coding to verify code for compliance with rules predefined by the organization and industry best practices. These tools assist in quality code structure and conformance to organizational standards.Dynamic application security testing – Tools to detect conditions indicative of a security vulnerability within an application in its running state.Identity and access management – Tools to control individual identities – their authentication, authorization, roles, and privileges – within or across system and enterprise boundaries.Log management – The automated logging of all events that occur within the software delivery lifecycle and in the Production environment. The logs collate and process potential security events to identify, alert, and escalate those that need to be reviewed.Runtime application security – Software built into the application runtime environment to detect and prevent real-time attacks. These applications bridge the gap between application security testing and network perimeter controls.Security as code – A tenet of DevOps where security practices are codified and automated and enforced as a part of the delivery pipeline. This approach allows the security practices, such as policies and tests, to be stored in code repositories and applied throughout the pipeline.Software configuration management (SCM) – Tools for tracking and controlling changes in the software lifecycle, including configuration identification, build management, identification of items and baselines, and reporting changes for remediation. SCM tools are extremely useful for identifying unauthorized changes that can lead to unauthorized or nefarious actions.Static application security testing (SAST) – A set of technologies that analyze source code and binaries for coding that is indicative of security vulnerabilities.Test automation – The embedding of security testing and controls throughout the delivery pipeline to create standard and repeatable processes for ensuring security standards.Threat modeling – A practice of identifying, communicating, and understanding threats and mitigations within the context of protecting something of value. As part of software development, a threat model illustrates the components that make an application work, identifies potential risks, and determines courses of action. Threat modeling is often described as “Security by Design.”Transport layer security – A protocol that provides privacy and data integrity between two communicating apps.Unit security testing – Security vulnerability scans integrated into the development and testing phases of the software development lifecycle (SDLC). Good practices embed these scans into the SDLC process, so they cannot be circumvented.Web application firewalls – A firewall for HTTP applications.